HIPAA GUIDANCE: ALTERATION OR WAIVER OF AUTHORIZATION (AWA) Revised: July 9, 2004

Transcription

1 HIPAA GUIDANCE: ALTERATION OR WAIVER OF AUTHORIZATION (AWA) Revised: July 9, 2004 This guidance addresses: 1. Criteria a covered function should employ for evaluating an IRB issued AWA to determine its adherence to the HIPAA regulations 2. IRB AWA criteria and a covered function s adherence to the minimum necessary standard for release of PHI identified in a valid AWA 3. Mechanisms available to a covered function for providing PHI identified in an AWA to a researcher 4. Accounting for disclosures when releasing PHI to a researcher outside of the covered function via the AWA mechanism NB: Parts of this guidance are specific to the SUNY-UB HIPAA hybrid entity environment where the SUNY-UB research function, and consequently any SUNY-UB researcher, has been specifically defined as being separate from, and not part of, any HIPAA covered function/entity. It is specifically applicable to all SUNY-UB researchers in any setting dealing with a HIPAA covered function/entity and, separately, all SUNY- UB covered functions.

2 1) Covered function criteria for determining that an alteration or waiver of authorization (AWA) has been appropriately executed by an IRB 45 CFR (i) addresses the documentation that must be provided by an IRB to constitute a valid AWA. Specifically, the required elements are: (1)(i)(A) Issued by an Institutional Review Board (IRB), established in accordance with 7 CFR 1c.107, 10 CFR , 14 CFR , 15 CFR , 16 CFR , 21 CFR , 22 CFR , 24 CFR , 28 CFR , 32 CFR , 34 CFR , 38 CFR , 40 CFR , 45 CFR , 45 CFR , or 49 CFR (2)(i) Identification and date of action. A statement identifying the IRB and the date on which the alteration or waiver of authorization was approved; (2)(ii) Waiver criteria. A statement that the IRB has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria [Note: A covered function is not responsible for separately determining that the criteria identified in (2)(ii) have been met. The covered function is only required to confirm that the alteration or waiver of authorization contains a statement from the IRB comprised of these elements]: (A) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; (1) An adequate plan to protect the identifiers from improper use and disclosure; (2) An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law (3) Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart (B) The research could not practicably be conducted without the waiver or alteration

3 (C) The research could not practicably be conducted without access to and use of the protected health information. (2)(iii) Protected health information needed. A brief description of the protected health information for which use or access has been determined to be necessary by the IRB pursuant to paragraph (i)(2)(ii)(c) of this section (2)(iv) Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures 1 (2)(v) (v) Required signature. The documentation of the alteration or waiver of authorization must be signed by the chair or other member, as designated by the chair, of the IRB If a waiver in whole is not issued, the covered function must adhere to the constraints associated with the waiver in part or alteration in whole or in part as identified in the AWA. Any request for PHI by the researcher that falls outside the parameters identified in a valid AWA will require a separate HIPAA PHI research disclosure mechanism to be in place. In general, an AWA issued by an IRB containing these elements may be used by the covered function to release the PHI listed in section (2)(iii) of the AWA to the requesting researcher. The UB IRB currently issues a 2-part AWA. The AWA itself contains all required elements with the exception of (2)(iii) above. The information required for (2)(iii) is contained in a separate UB document titled The Request for Waiver of Individual Authorization for Use of Individually Identifiable Health Information. This document is completed by the researcher and submitted to the UB IRB for its review in determining that AWA criteria under (2)(ii) can be met. Question #1 of this document contains the information that constitutes the required (2)(iii) element of the AWA. This document can be considered part of the AWA provided it is stamped, dated and signed or initialed by the UB IRB. 1 An IRB must follow the requirements of the Common Rule, including the normal review procedures (7 CFR 1c.108(b), 10 CFR (b), 14 CFR (b), 15 CFR (b), 16 CFR (b), 21 CFR (b), 22 CFR (b), 24 CFR (b), 28 CFR (b), 32 CFR (b), 34 CFR (b), 38 CFR (b), 40 CFR (b), 45 CFR (b), 45 CFR (b), or 49 CFR (b)) or the expedited review procedures (7 CFR 1c.110, 10 CFR , 14 CFR , 15 CFR , 16 CFR , 21 CFR , 22 CFR , 24 CFR , 28 CFR , 32 CFR , 34 CFR , 38 CFR , 40 CFR , 45 CFR , 45 CFR , or 49 CFR )

4 Once the PHI identified in section (2)(iii) of a AWA is released to a researcher who is outside of the covered function (i.e., any SUNY-UB researcher), the covered function has no additional HIPAA obligations with regards to the researcher s subsequent use of the information. In particular, the covered function is not responsible for ensuring that the researcher is in or remains in compliance with the representations they made to the IRB, which may or may not be known by the covered function, in order to obtain the AWA. The UB Request for Waiver of Individual Authorization for Use of Individually Identifiable Health Information form provides additional information that is intended for internal UB IRB use in making its determination on whether or not to issue an AWA to the researcher. The information provided in questions 2-6 and the subsequent researcher attestation is not information that a covered function needs to evaluate in determining whether the AWA is valid. As noted in the preceding criteria section, a covered function is not responsible for separately determining that the criteria in (2)(ii) of a valid AWA have been met. The Office of Civil Rights (OCR), which is responsible for compliance with the HIPAA Privacy Regulations, has addressed the broad discretion it permits IRBs in determining that these criteria have been met 2 : Question Are some of the criteria so subjective that inconsistent determinations may be made by Institutional Review Boards (IRB) and Privacy Boards reviewing similar or identical research projects? Answer Under the HIPAA Privacy Rule, IRBs and Privacy Boards need to use their judgment as to whether the waiver criteria have been satisfied. Several of the waiver criteria are closely modeled on the Common Rule s criteria for the waiver of informed consent and for the approval of a research study. Thus, it is anticipated that IRBs already have experience in making the necessarily subjective assessments of risks. While IRBs or Privacy Boards may reach different determinations, the assessment of the waiver criteria through this deliberative process is a crucial element in the current system of safeguarding research participants privacy. The entire system of local IRBs is, in fact, predicated on a deliberative process that permits local IRB autonomy. The Privacy Rule builds upon this principle; it does not change it. Nonetheless, the Department will consider issuing guidance as necessary and appropriate to address concerns that may arise during implementation of these provisions. See the fact sheet and frequently asked questions about the research provisions on this web site for more information about the Common Rule and Institutional Review and Privacy Boards. 2 OCR HIPAA Privacy guidance on Research; December 3, 2002; also available on HHS WEB FAQ ( Answer ID=303, dated 03/03/ :30 PM

5 2) Minimum Necessary and PHI access The HIPAA standard of Minimum Necessary, covered in 45 CFR (b), applies to the release of information associated with an AWA. This impacts the IRB, the SUNY- UB researcher, and the covered function in the following areas: a) IRB Determination of the minimum necessary PHI required by the researcher. The AWA criteria in 45 CFR (i)(2)(ii)(C) restrict an IRB to granting an AWA only for PHI that is specifically required for use in the research study. In granting the AWA, it is incumbent upon the IRB to evaluate the PHI being requested by the researcher and to determine that its use is necessary for the conduct of the research. An IRB may not grant an AWA permitting access to PHI that is not required for use in the study. Specifically an IRB cannot grant an AWA for accessing the entire medical record as a mechanism for permitting the researcher to enter the covered function in order to create a subset PHI dataset from the medical record when that subset of PHI is all that is required for use in the research. b) Covered function determination of the minimum necessary PHI required by the researcher. A covered function may rely on the IRB s determination in this regard as to what constitutes the minimum necessary information required to conduct the research per 45 CFR (d)(3)(iii)(D). This means the covered entity may, without further analysis, provide the researcher with the PHI specifically determined as necessary for the conduct of the research in section (2)(iii) of a valid AWA 3 : Question May a covered entity accept documentation of an external Institutional Review Board's (IRB) waiver of authorization for purposes of reasonably relying on the request as the minimum necessary? Answer Yes. The HIPAA Privacy Rule explicitly permits a covered entity to reasonably rely on a researcher s documentation of an Institutional Review Board (IRB) or Privacy Board waiver of authorization pursuant to 45 CFR (i) that the information requested is the minimum necessary for the research purpose. See 45 CFR (d)(3)(iii). This is true regardless of whether the documentation is obtained from an external IRB or Privacy Board or from one that is associated with the covered entity. 3 HHS WEB FAQ (see footnote 2) Answer ID=217; Category: Privacy of Health Information/HIPAA, Minimum Necessary, Research Uses and Disclosures, Smaller Providers/Small Businesses; Date updated: 07/18/ :01 AM

6 c) Covered function creation of the data set identified as minimum necessary for disclosure to the external researcher. A covered entity may only permit the researcher access to, and use of, PHI that is specifically required for the conduct of the research as identified in section (2)(iii) of a valid AWA. Often, this data resides co-mingled with other PHI in the covered function s PHI repository, e.g., within the medical or dental record. Creation of a data set for use by an external researcher is an activity of the covered function and is not a research activity that can be conducted by the researcher. Specifically, the AWA is not a mechanism by which the researcher may access PHI other than that identified in section (2)(iii) of the AWA, i.e., the researcher may not be given access to a superset of PHI, such as the medical or dental record, in order to create a data set of the required PHI elements identified in the AWA. 3) Mechanisms available to covered functions for providing PHI to a SUNY-UB researcher The covered function s creation of the PHI data set required by the researcher, as identified in (2)(iii) of the AWA, can be approached in basically one of two ways: a) The data set is generated by the covered function through activities of its workforce. b) The data set is generated by a business associate of the covered function, with an appropriately executed business associate agreement (BAA) in place governing the service of creating this data set. In both cases, creation of the data set is an activity of the covered function that falls within the Operations component of its HIPAA Treatment, Payment and Operations activities. Consequently, all access to and use of PHI for this activity constitutes a use of PHI by the covered entity. In instances where the researcher, in a separate and distinct capacity from their research (non-covered function) duties, is also a member of a covered function s workforce, they may created the required data set via mechanism (i) provided that activity is formally part of their separate and distinct job duties within the covered function. Note that per 45 CFR Definitions: Workforce, volunteers are defined to be members of the covered function s workforce. An external researcher who is also a formal volunteer of the covered function could create the required data set by way of this mechanism provided that the covered function has an formally and appropriately established mechanism for appointing volunteers, that this activity is formally defined by

7 the covered function as part of the volunteer s duties, and that volunteers in the covered function are required to fully comply with all aspects of the covered function s HIPAA implementation pertaining to its workforce. If the researcher is not part of the covered function which possesses the required PHI, and the covered function does not have a mechanism for providing the researcher with only the PHI identified in the waiver, then the researcher may perform the dataset creation only via mechanism 3)(b). 4 Mechanism 3)(b) is not recommend for use by SUNY-UB researchers wishing to access PHI within a SUNY-UB covered function. If a SUNY-UB researcher wishes to enter into a BAA with a non-suny-ub covered entity, an appropriate SUNY-UB signatory agent needs to be identified by the UB Director of HIPAA Compliance and the BAA must be vetted by legal counsel associated with the signatory agent. 4) Accounting for disclosures Pursuant to 45 CFR , the covered function must be able to provide an accounting of PHI disclosures. Such an accounting is required when PHI defined in section (2)(iii) of a valid AWA is released by a covered function to a SUNY-UB researcher. An accounting for disclosures is not required for the covered function s use of PHI in creating the PHI dataset as this activity constitutes a use as part of Treatment/Payment/Operations of the covered function, and not a disclosure by the covered function. 4 HHS WEB FAQ (see footnote 2); Answer ID=249; Category: Privacy of Health Information/HIPAA, Business Associates, Limited Data Set; Date updated: 03/03/ :16 PM; generalized from example where BAA is identified as the proper mechanism to be used by a researcher to create limited data required to conduct their research when the covered entity cannot provide this service.